Best Western have publicly refuted the story reported in the Sunday Herald and stated that “Claims reported about our Central Reservations customer records are not accurate” (read the full statement here).
The statement is fairly vague and as Information Week point out:
the release states that there is “no evidence” to support the sensational claims in the news story…Yet, fascinatingly, the company is admitting that the very reporter, for which there is “no evidence to support sensational claims,” brought the fact that there was a breach to Best Western’s attention. So, at least there is some evidence to support the claims. So what, exactly, is accurate, and what, exactly, is not in the story. We’re not told.
The compromise, as originally reported, appears to be the result of an unidentified and unseen Trojan placed on a computer: we can speculate how: maybe because the system was unpatched for some period of time or via an as yet unknown vulnerability. It may even have been installed deliberately by a malicious insider or might be the result of somebody downloading something that contained the undetected malware. It’s almost certainly a well targeted attack: the database will have represented rich pickings.